[cvsnt] Re: cygwin ssh server and author being set to SYSTEM

Tony Hoyle tmh at nodomain.org
Tue Dec 16 00:37:29 GMT 2003


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Hartmut Honisch wrote:
> I had once implemented an alpha release of such a package for cygwin, but
> they thought cygwin's way of handling impersonation was sufficient, the use
> of a subauthentication package would raise too many issues to justify its
> benefits.

The whole security thing for example...

If you allow users to login without passwords in that way, once that 
package is on the system it's a potential wide open security hole... 
*any* user that can execute LogonUser/LsaLogonUser with the correct 
parameters (and with an opensource package that wouldn't be too hard to 
work out - I could probably do it with a closed source one in a couple 
of hours) will be able to become administrator.

I looked at it for a bit myself and realised quickly that there's no way 
to stop a process raising its privilege level that way, so it wasn't 
worth the risk.

Tony




More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook